Thursday, 23 February 2012

The Safety Belt Paradox
The Payment Card Industry Data Security Standard (PCI-DSS) has now been around for over 6 years, but every day we speak to organizations that have yet to implement any PCI measures. So what's the real deal with PCI compliance and why should any company spend money on it while others are avoiding it?
Often the pushback is from Board Level, asking for clear-cut justification for PCI investment. Other times it comes from within the IT Department, seeking to avoid the disruption PCI measures will incur.

Regardless of where resistance comes from, the consensus is that adopting the standard is a sensible thing to do from a security perspective. But like so many things in life, the common sense view is outweighed by the perceived pain of achieving it -this thinking is often referred to as 'The Safety Belt Paradox', more of which later.

This coupled with the anecdotal feedback that whilst the Acquiring Banks (payment card transaction processors) promote the need for PCI measures, they seldom have the focus and continual drive to monitor the status of compliance, making it all too easy for Merchants (anyone taking card payments) to carry on just as they are.

Prioritizing PCI Measures
With 12 headline Requirements covering 230 sub-requirements and around 650 detail points, encompassing technology, procedure and process, there is no denying that the PCI-DSS is complex and is likely to cause disruption. But the benefits ultimately outweigh the pitfalls, particularly when there are shortcuts to compliance, which follow the 'How do you eat a whale?' philosophy (one piece at a time, in case you were wondering).

This 'prioritized approach', advocated by the PCI Security Council, focuses attention on the most important 'biggest bang for buck' measures first, with the others broken into five levels of priority.
We would also always advise that in order to control costs and minimize disruption, that you understand the context and impact of each aspect to see which other Requirements can be taken care of by implementing the same measure - for instance, file integrity monitoring is specifically mentioned in Requirement 11.5, but actually applies to numerous other Requirements throughout the standard. For example, Device Hardening measures specified in Requirement 2 all come back to file integrity monitoring because configuration files and settings need to be assessed for compliance with best practices, and once a device has been hardened, it is vital that monitoring is in place to ensure there is no 'drift' away from the secure configuration policy adopted.
Similarly log management and the need to securely backup event logs from all in scope devices may only be detailed in Requirement 10, however, using event log data to track where changes have been made to devices and user accounts is a great way of auditing the effectiveness of your change management processes. Tracking user activity via syslog and event log data is generally seen as a means of providing the forensic audit trail for analysis after a breach has occurred, but used correctly, it can also act as a great deterrent to would-ne inside man hackers if they know they are being watched.

As evidence of the value of this approach, implementing firewall and anti-virus measures properly, with checks and balances provided via automated event log processing and file-integrity monitoring gets you around 30-35% compliant before you do anything else.

The Future of PCI-DSS
The PCI Security Standards Council insists that PCI is more about security than compliance. And it really does work - implemented correctly, the PCI-DSS will keep card holder data protected under any circumstances.

In the future, neglecting PCI Compliance measures could mean you are gambling with even higher stakes. With PCI being such a comprehensive framework, big-thinkers are arguing that PCI compliance should be leveraged to provide security for ALL company information as a whole and protect against the mainstream issue of Identity Theft. Losing card holder data is one thing, but risking your customers' personal information is potentially far more damaging and your customers won't thank you if you have been irresponsible.
This is certainly the case in Europe where, at the recent PCI Security Standards Council Meeting in London, the UK Government's Information Commissioners Office recommended that organizations should look to implement PCI for general Data Protection. This is echoed across Europe where ISO 27001 is taken much more seriously, especially in Germany where their snappily entitled 'Bundesdatenschutzgeset' (or BDSG - Federal Data Protection Act) has real teeth.

If a German organization loses the Personal Information of its customers then it is required by law to 'confess' by placing at least two, full-page advertisements in the National press informing the public of the potential Identity Theft they have been exposed to. Even if you don't believe in the power of advertising, you wouldn't want to test what this kind of publicity does for your brand and your sales.

The closest parallel in the US is the Nevada 'Security of Personal Information' law, and Nevada Senate Bill 227 specifically states a requirement to comply with the PCI DSS, or how about The Washington House Bill 1149 (Effective Jul 01, 2010) which "recognizes that data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers".

Which brings us back to the 'Safety Belt Paradox'. 50 years ago, the State of Wisconsin introduced legislation requiring seat belts to be fitted to cars. But very few people used them, because they were uncomfortable and slowed you down when starting a journey, even though most would admit they were a good idea.

So it was only in 1984 when the first US state (New York) made the wearing of a seatbelt compulsory that the real benefits were realized. Only then did common-sense become standard practice. Maybe Personal information Protection needs the same treatment?